From owner-freebsd-current@FreeBSD.ORG  Fri Dec 12 16:30:08 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 09C5816A4CE
	for <current@freebsd.org>; Fri, 12 Dec 2003 16:30:08 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9FF4043D32
	for <current@freebsd.org>; Fri, 12 Dec 2003 16:30:06 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.10/8.12.10) with ESMTP id hBD0TrUd026874;
	Fri, 12 Dec 2003 19:29:53 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)hBD0Tqgr026871;
	Fri, 12 Dec 2003 19:29:52 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Fri, 12 Dec 2003 19:29:52 -0500 (EST)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Brooks Davis <brooks@one-eyed-alien.net>
In-Reply-To: <20031212224259.GA4959@Odin.AC.HMC.Edu>
Message-ID: <Pine.NEB.3.96L.1031212192815.26485A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: "Klaus-J. Wolf" <yanestra@web.de>
cc: current@freebsd.org
cc: Kris Kennaway <kris@obsecurity.org>
Subject: Re: [RC1] Login not possible
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Dec 2003 00:30:08 -0000


On Fri, 12 Dec 2003, Brooks Davis wrote:

> > > Dec 12 21:37:24 golulu login: setusercontext() failed - exiting
> > > 
> > > _With_ those lines in /etc/group, id gives:
> > > 
> > > uid=1000(kjwolf) gid=20(staff) groups=20(staff), 0(wheel), 5(operator), 
> > > 13(games), 68(dialer), 69(network), 100(users), 1000(kjwolf), 
> > > 1200(wolf), 2000(wstaff), 2001(mm), 2002(develop), 2003(classifd), 
> > > 2004(mirror), 2005(mirrors), 2006(sw)
> > 
> > That's 18 groups..there might be a limit of 16 somewhere that is
> > causing login to have problems.
> 
> A recent change to initgroups() changed the behavior of having too many
> groups from silent truncation to error which breaks login...  One of our
> users at work ran into this.  Fortunately, we were able to delete a
> number of groups for projects that never go cleaned up, but it was
> annoying and the error in extremely non-obvious. 

FWIW, I think that failing here is the right thing to do (since otherwise
the kernel silently changes the access control rights of processes), but
that the failure error is a bit obscure.  That said, the setusercontext() 
API isn't really set up to provide more detailed error information, so
we'll need to expand the API.  I wonder if it would make sense to modify
the pw/etc commands to generate warnings if they discover a user in too
many groups... 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Senior Research Scientist, McAfee Research